With the European Union's Cybersecurity Act now in full force, the European Union Agency for Network and Information Security, or ENISA, has a new name and a permanent mandate - as well as more money and staff - to oversee a range of cybersecurity issues.

Under the newly enacted EU cybersecurity law, which went into effect on Thursday, ENISA will be rebranded as the European Union Agency for Cybersecurity and given a permanent role overseeing areas of cybersecurity for all 28 member states.

The agency will oversee a new voluntary certification framework for security standards for products and services sold within the EU. As a result, the new agency will have significant influence over the development of new technologies, including internet of things devices.

By creating one EU product and service security standard, the agency will eliminate some of the confusion caused when different member states adopt different security standards, according to the European Commission.

"For example, smart meter producers currently need to undergo separate certification processes in France, the U.K. and Germany. Without a common framework for EU-wide valid cybersecurity certificate schemes, there is an increasing risk of fragmentation and barriers in the single market," according to a fact sheet on the new Cybersecurity Act.

The framework will make it easier for small and midsized business to get their products approved and into markets because they will not have to meet different cybersecurity standards and guidelines developed by individual member states, according to the European Commission fact sheet.

"I believe the European Cybersecurity Certification Framework detailed in the Act will play a leading role for the advancement and harmonization of cybersecurity certification in Europe and beyond," says Udo Helmbrecht, executive director of ENISA. "ENISA will have market-related tasks, notably by preparing 'European cybersecurity certification schemes' that will serve as the basis for certification of [information and communications technology] products, processes and services."

Numerous Cybersecurity Issues

Originally created in 2004, ENISA oversaw several aspects of the EU's security strategy, including infrastructure protection; cybersecurity exercises among member states; standardization and best practices for cybersecurity protection; and enforcing different cybersecurity laws.

Under older laws, however, ENISA did not have a permanent role within the EU, and its charter was set to expire in 2020. That changed with the passage of the EU Cybersecurity Act in 2018, which called for creation of a new, permanent agency.

The change comes at a time when the European Union and its member states are confronted with numerous cybersecurity challenges, including data breaches and ransomware attacks; threats from hostile nation-states looking to disrupt regional politics; and privacy issues highlighted by the year-old General Data Protection Regulation (see: 10 Highlights: Infosecurity Europe 2019 Keynotes).

Now that it has a permanent mission within the EU, the European Union Agency for Cybersecurity will be available to help individual member states defend against cyberattacks, according to its charter.

The new agency also will support coordination among member states when responding to a cyberattack and create incident reports after an attack to determine what went wrong and what new protections should be put into place to prevent a repeat on these intrusions, its charter notes.

New rules developed by the EU Council and passed into law earlier this year give the council the right to impose sanctions on non-EU countries that participate in or conduct cyberattacks against member states.

"It is crucial for citizens, businesses and member states to feel more secure, including in cases of large-scale cross-border cyberattacks," says Mariya Gabriel, an EU commissioner who oversees the digital economy and society for the union, in a statement.

The new agency will play a role in the development of cybersecurity policies within the European Commission and European Council as well as with individual member states. This includes the development of a voluntary vulnerability disclosure process for countries in the EU.

About the Author

Ferguson is the managing editor for the news desk at Information Security Media Group. He's been covering the IT industry for more than 13 years. Before joining ISMG, Ferguson was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;